search cancel

FTP through Proxy failing with error "202 Command not implemented, superfluous at this site"

book

Article ID: 173363

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The FTP communication to a particular server is failing when going through your Proxy SG or ASG device.

"202 Command not implemented, superfluous at this site" is displayed on the browser and packet/HAR captures.

Cause

If we take a packet capture and analyze the TCP streams containing the FTP communication, we can see the FTP communication starts normally, then the ProxySG sends an MDTM request and the server or upstream device ACKs it but immediately forwards the following FTP error "202 Command not implemented, superfluous at this site". The MDTM message seems to be the problem here (as it is what originates the FTP 202 response).

MDTM is part of the FTP Extensions RFC (refer to https://tools.ietf.org/html/rfc3659#section-3), however it is not accepted by all FTP servers.

Note the ProxySG's FTP Proxy needs to send this message and as long as the FTP Proxy is used, the MDTM message will be sent.

Resolution

It is recommended to reach the FTP administrators / developers to have them add support for the MDTM FTP method, this way the ProxySG can complete the FTP communication without receiving the 202 error from the server.

If this is not possible or a faster solution is required:

  • For Transparent Environments, the FTP server can be fully bypassed. Please refer to TECH241979 or TECH243229
     
  • For Explicit deployments the connection is always intercepted and when incoming FTP traffic is detected, it'll be handled by the FTP proxy automatically rather than being fully bypassed and tunneled as in Transparent. In order to fully bypass the FTP server on a Explicit deployment:
  1. Make sure with your Firewall administrator/s that the FTP site can be accessed directly by the endpoints. (Most times, all connections to external resources are blocked by the Firewall or upstream devices if they aren't coming from the Proxy).
  2. On a testing computer, modify the Proxy configuration to have the client going directly to the FTP server and test if the server works as expected. To do this, go to Internet Options > Connections > LAN Settings > next to the Proxy address, click the "Advanced" button, enter a semi-colon and the URL this way "; myftp.mycompany.com" (without the quotation marks), click "Accept".
  3. If this test is successful, you can proceed to distribute this to all computers in the network through your Active Directory. You can use a PAC or WPAD to help distribute and manage this and other exceptions as well.